Tox.im
Dāvis Mosāns
davispuh at gmail.com
Mon Jul 7 06:06:47 PDT 2014
I don't agree, I think XMPP could be good solution, while yes attack
surface is quite large but it will be in any case, because even if you
create the very minimalist chat protocol possible (let's say basically use
asymmetric cryptography for messages which are plaintext without any
features) you still can have bugs in cryptography library, network stack,
OS/kernel. This part will be same no matter what messaging protocol you
use. So by changing plaintext to other payload such as XMPP we introduce
another layer but this layer could be parsed in a sandbox / virtual machine
thus even if you receive malicious message it couldn't exploit other parts
of your system and it would work exactly like that simple plaintext
protocol. Now but what if there's a bug in cryptography library, well you
have already lost even with your basic plaintext protocol...
2014-07-07 11:41 GMT+03:00 stef <s at ctrlc.hu>:
> On Mon, Jul 07, 2014 at 09:11:24AM +0200, edhelas wrote:
> > I really think that we need to focus on an existent standard and improve
> it,
> > and for me XMPP seem to be the perfect protocol for all theses things :
> > - Standard IM + chatroom
> > - Video/Audio conferencing (with Jingle, we are using it with WebRTC on
> > Movim)
> > - Pubsub (for newsfeeds, blogging)
> > - Geolocation
> > - Vcard4 support
> > - SASL2 authentication
> > - OTR support
> > - Full encryption between the servers (https://xmpp.net/list.php)
> > - and so on…
>
> i dunno, but xml based protocol (attack surface), geolocation (privacy),
> video/audio conferencing (traffic analysis), etc are all attributes i do
> not
> want in a secure communication protocol and a protocol that supports these
> is
> considered bloated. also the huge amounts of known/guessable plaintext in
> xmpp
> are quite worrisome. i agree NIH is bad, but xmpp is as bad for a
> post-snowden
> adversary model.
>
> --
> otr fp: https://www.ctrlc.hu/~stef/otr.txt
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2525 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20140707/daa0d991/attachment-0001.txt>
More information about the cypherpunks
mailing list